<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Configuring role mappings | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'oidc-role-mapping.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/oidc-role-mapping.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/oidc-role-mapping.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/oidc-role-mapping.html" rel="nofollow" target="_blank">../en/oidc-role-mapping.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="oidc-guide.html">Configuring single sign-on to the Elastic Stack using OpenID Connect</a></span>
»
<span class="breadcrumb-node">Configuring role mappings</span>
</div>
<div class="navheader">
<span class="prev">
<a href="oidc-guide-authentication.html">« Configure Elasticsearch for OpenID Connect authentication</a>
</span>
<span class="next">
<a href="oidc-user-metadata.html">User metadata »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="oidc-role-mapping"></a>Configuring role mappings<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/oidc-guide.asciidoc">edit</a>
</h2>
</div></div></div>
<p>When a user authenticates using OpenID Connect, they are identified to the Elastic Stack,
but this does not automatically grant them access to perform any actions or
access any data.</p>
<p>Your OpenID Connect users cannot do anything until they are assigned roles. This can be done
through either the
<a class="xref" href="security-api-put-role-mapping.html" title="Create or update role mappings API">add role mapping API</a> or with
<a class="xref" href="realm-chains.html#authorization_realms" title="Delegating authorization to another realm">authorization realms</a>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>You cannot use <a class="xref" href="mapping-roles.html#mapping-roles-file" title="Using role mapping files">role mapping files</a>
to grant roles to users authenticating via OpenID Connect.</p>
</div>
</div>
<p>This is an example of a simple role mapping that grants the <code class="literal">example_role</code> role
to any user who authenticates against the <code class="literal">oidc1</code> OpenID Connect realm:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT /_security/role_mapping/oidc-example
{
  "roles": [ "example_role" ], <a id="CO480-1"></a><i class="conum" data-value="1"></i>
  "enabled": true,
  "rules": {
    "field": { "realm.name": "oidc1" }
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1235.console"></div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO480-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The <code class="literal">example_role</code> role is <span class="strong strong"><strong>not</strong></span> a builtin Elasticsearch role.
This example assumes that you have created a custom role of your own, with
appropriate access to your <a class="xref" href="defining-roles.html#roles-indices-priv" title="Indices Privileges">indices</a> and
<a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html#kibana-feature-privileges" class="ulink" target="_top">Kibana features</a>.</p>
</td>
</tr>
</table>
</div>
<p>The user properties that are mapped via the realm configuration are used to process
role mapping rules, and these rules determine which roles a user is granted.</p>
<p>The user fields that are provided to the role
mapping are derived from the OpenID Connect claims as follows:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">username</code>: The <code class="literal">principal</code> user property
</li>
<li class="listitem">
<code class="literal">dn</code>: The <code class="literal">dn</code> user property
</li>
<li class="listitem">
<code class="literal">groups</code>: The <code class="literal">groups</code> user property
</li>
<li class="listitem">
<code class="literal">metadata</code>: See <a class="xref" href="oidc-user-metadata.html" title="User metadata">User metadata</a>
</li>
</ul>
</div>
<p>For more information, see <a class="xref" href="mapping-roles.html" title="Mapping users and groups to roles">Mapping users and groups to roles</a> and
<a class="xref" href="security-api.html#security-role-mapping-apis" title="Role mappings">role mapping APIs</a>.</p>
<p>If your OP has the ability to provide groups or roles to RPs via tha use of
an OpenID Claim, then you should map this claim to the <code class="literal">claims.groups</code> setting in
the Elasticsearch realm (see <a class="xref" href="oidc-guide-authentication.html#oidc-claim-to-property" title="Mapping claims to user properties">Mapping claims to user properties</a>), and then make use of it in a role mapping
as per the example below.</p>
<p>This mapping grants the Elasticsearch <code class="literal">finance_data</code> role, to any users who authenticate
via the <code class="literal">oidc1</code> realm with the <code class="literal">finance-team</code> group membership.</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT /_security/role_mapping/oidc-finance
{
  "roles": [ "finance_data" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "groups": "finance-team" } }
  ] }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1236.console"></div>
<p>If your users also exist in a repository that can be directly accessed by Elasticsearch
(such as an LDAP directory) then you can use
<a class="xref" href="realm-chains.html#authorization_realms" title="Delegating authorization to another realm">authorization realms</a> instead of role mappings.</p>
<p>In this case, you perform the following steps:
1. In your OpenID Connect realm, assign a claim to act as the lookup userid,
   by configuring the <code class="literal">claims.principal</code> setting.
2. Create a new realm that can lookup users from your local repository (e.g. an
   <code class="literal">ldap</code> realm)
3. In your OpenID Connect realm, set <code class="literal">authorization_realms</code> to the name of the realm you
   created in step 2.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="oidc-guide-authentication.html">« Configure Elasticsearch for OpenID Connect authentication</a>
</span>
<span class="next">
<a href="oidc-user-metadata.html">User metadata »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>